ibexa CVE Vulnerabilities & Metrics

Focus on ibexa vulnerabilities and metrics.

Last updated: 16 Jun 2026, 22:25 UTC

About ibexa Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with ibexa. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total ibexa CVEs: 8
Earliest CVE date: 10 Nov 2022, 21:15 UTC
Latest CVE date: 06 Mar 2026, 17:16 UTC

Latest CVE reference: CVE-2025-70363

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical ibexa CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 0.0

Max CVSS: 0

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	8
4.0-6.9	0
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS ibexa CVEs

These are the five CVEs with the highest CVSS scores for ibexa, sorted by severity first and recency.

CVE-2025-70363 ibexa Published on 06 Mar 2026, 17:16 UTC (CVSS: 0)
Incorrect access control in the REST API of Ibexa & Ciril GROUP eZ Platform / Ciril Platform 2.x allows unauthenticated attackers to access sensitive data via enumerating object IDs.
CVE-2020-23065 ibexa Published on 26 Jun 2023, 19:15 UTC (CVSS: 0)
Cross Site Scripting vulnerabiltiy in eZ Systems AS eZPublish Platform v.5.4 and eZ Publish Legacy v.5.4 allows a remote authenticated attacker to execute arbitrary code via the video-js.swf.
CVE-2022-48367 ibexa Published on 12 Mar 2023, 05:15 UTC (CVSS: 0)
An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Access control based on object state is mishandled.
CVE-2022-48366 ibexa Published on 12 Mar 2023, 05:15 UTC (CVSS: 0)
An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It allows determining account existence via a timing attack.
CVE-2022-48365 ibexa Published on 12 Mar 2023, 05:15 UTC (CVSS: 0)
An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The Company admin role gives excessive privileges.

All CVEs for ibexa

CVE-2025-70363 ibexa vulnerability CVSS: 0 06 Mar 2026, 17:16 UTC

Incorrect access control in the REST API of Ibexa & Ciril GROUP eZ Platform / Ciril Platform 2.x allows unauthenticated attackers to access sensitive data via enumerating object IDs.

CVE-2020-23065 ibexa vulnerability CVSS: 0 26 Jun 2023, 19:15 UTC

Cross Site Scripting vulnerabiltiy in eZ Systems AS eZPublish Platform v.5.4 and eZ Publish Legacy v.5.4 allows a remote authenticated attacker to execute arbitrary code via the video-js.swf.

CVE-2022-48367 ibexa vulnerability CVSS: 0 12 Mar 2023, 05:15 UTC

An issue was discovered in eZ Publish Ibexa Kernel before 7.5.28. Access control based on object state is mishandled.

CVE-2022-48366 ibexa vulnerability CVSS: 0 12 Mar 2023, 05:15 UTC

An issue was discovered in eZ Platform Ibexa Kernel before 1.3.19. It allows determining account existence via a timing attack.

CVE-2022-48365 ibexa vulnerability CVSS: 0 12 Mar 2023, 05:15 UTC

An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The Company admin role gives excessive privileges.

CVE-2021-46876 ibexa vulnerability CVSS: 0 12 Mar 2023, 05:15 UTC

An issue was discovered in eZ Publish Ibexa Kernel before 7.5.15.1. The /user/sessions endpoint can be abused to determine account existence.

CVE-2021-46875 ibexa vulnerability CVSS: 0 12 Mar 2023, 05:15 UTC

An issue was discovered in eZ Platform Ibexa Kernel before 1.3.1.1. An XSS attack can occur because JavaScript code can be uploaded in a .html or .js file.

CVE-2022-41876 ibexa vulnerability CVSS: 0 10 Nov 2022, 21:15 UTC

ezplatform-graphql is a GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 are subject to Insecure Storage of Sensitive Information. Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically administrators and editors. This issue has been patched in versions 2.3.12, and 1.0.13 on the 1.X branch. Users unable to upgrade can remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer.